6

How do I set the TLS/SNI (https://en.wikipedia.org/wiki/Server_Name_Indication) in the Python/C++ gRPC client API?

In other words, what's the equivalent of setting the -servername in openssl s_client?

I have verified my TLS server works by using the correct flags on openssl s_client:

 openssl s_client -connect "myserver.tunnel.dev:4443" -servername "myserver.tunnel.dev"

However, I wasn't able to setup the credentials correct with the Python /C++ API:

uri = "myserver.tunnel.dev:4443"
hostname = "myserver.tunnel.dev"

creds = grpc.ssl_channel_credentials(
    root_certificates=dev_cert)
    # root_certificates=certificate_chain)
    # certificate_chain=certificate_chain)
channel = grpc.secure_channel(uri, creds,
    options=(('grpc.ssl_target_name_override', hostname),)
)

This throws:

grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with (StatusCode.UNAVAILABLE, Connect Failed)>

In the ChannelOptions struct, the closest option I could find is ssl_target_name_override, which doesn't work either.

steveyang
  • 9,178
  • 8
  • 54
  • 80
  • As suggested in srini's answer, try running with `GRPC_TRACE=all` and `GRPC_VERBOSITY=debug` to get additional details on the connect failure, e.g., `GRPC_TRACE=all GRPC_VERBOSITY=debug python client.py` – Eric G Dec 03 '18 at 18:27

1 Answers1

4

Setting options=(('grpc.ssl_target_name_override', hostname),) should work. This is the right way to override host name. In this case, it seems unnecessary as your uri host and override host are the same. You could turn on some tracing by using the environment variables listed here and see if the handshake is failing or the is there some other reason for connection failure.

srini
  • 144
  • 3
  • Details at https://hikingandcoding.wordpress.com/2022/01/19/securing-google-remote-procedure-calls-grpc-using-asynchronous-python/ – Bruno Rijsman Jan 24 '22 at 03:33